1*4f1223e8SApple OSS Distributions #include <stdio.h> 2*4f1223e8SApple OSS Distributions #include <assert.h> 3*4f1223e8SApple OSS Distributions #include <stdlib.h> 4*4f1223e8SApple OSS Distributions #include <unistd.h> 5*4f1223e8SApple OSS Distributions #include <string.h> 6*4f1223e8SApple OSS Distributions #include <sys/ioctl.h> 7*4f1223e8SApple OSS Distributions #include <sys/socket.h> 8*4f1223e8SApple OSS Distributions #include <sys/sys_domain.h> 9*4f1223e8SApple OSS Distributions #include <sys/kern_control.h> 10*4f1223e8SApple OSS Distributions 11*4f1223e8SApple OSS Distributions #include <darwintest.h> 12*4f1223e8SApple OSS Distributions 13*4f1223e8SApple OSS Distributions #define RVI_CONTROL_NAME "com.apple.net.rvi_control" 14*4f1223e8SApple OSS Distributions #define RVI_COMMAND_GET_INTERFACE 0x20 15*4f1223e8SApple OSS Distributions 16*4f1223e8SApple OSS Distributions T_GLOBAL_META( 17*4f1223e8SApple OSS Distributions T_META_NAMESPACE("xnu.net"), 18*4f1223e8SApple OSS Distributions T_META_RADAR_COMPONENT_NAME("xnu"), 19*4f1223e8SApple OSS Distributions T_META_RADAR_COMPONENT_VERSION("networking"), 20*4f1223e8SApple OSS Distributions T_META_ENABLED(TARGET_OS_OSX), 21*4f1223e8SApple OSS Distributions T_META_ASROOT_(1) 22*4f1223e8SApple OSS Distributions ); 23*4f1223e8SApple OSS Distributions 24*4f1223e8SApple OSS Distributions T_DECL(rvi_control_get_interface, "getsockopt on RVI control-socket triggering out-of-bounds memory access", T_META_TAG_VM_PREFERRED) 25*4f1223e8SApple OSS Distributions { 26*4f1223e8SApple OSS Distributions int fd; 27*4f1223e8SApple OSS Distributions 28*4f1223e8SApple OSS Distributions T_ASSERT_POSIX_SUCCESS(fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL), NULL); 29*4f1223e8SApple OSS Distributions 30*4f1223e8SApple OSS Distributions struct ctl_info ctl_info = { 31*4f1223e8SApple OSS Distributions .ctl_name = RVI_CONTROL_NAME 32*4f1223e8SApple OSS Distributions }; 33*4f1223e8SApple OSS Distributions T_ASSERT_POSIX_SUCCESS(ioctl(fd, CTLIOCGINFO, &ctl_info), NULL); 34*4f1223e8SApple OSS Distributions 35*4f1223e8SApple OSS Distributions struct sockaddr_ctl sockaddr_ctl = { 36*4f1223e8SApple OSS Distributions .sc_len = sizeof(struct sockaddr_ctl), 37*4f1223e8SApple OSS Distributions .sc_family = AF_SYSTEM, 38*4f1223e8SApple OSS Distributions .ss_sysaddr = AF_SYS_CONTROL, 39*4f1223e8SApple OSS Distributions .sc_id = ctl_info.ctl_id, 40*4f1223e8SApple OSS Distributions .sc_unit = 0 41*4f1223e8SApple OSS Distributions }; 42*4f1223e8SApple OSS Distributions T_ASSERT_POSIX_SUCCESS(connect(fd, (const struct sockaddr *)&sockaddr_ctl, sizeof(struct sockaddr_ctl)), NULL); 43*4f1223e8SApple OSS Distributions 44*4f1223e8SApple OSS Distributions char data[10]; 45*4f1223e8SApple OSS Distributions socklen_t data_len = 1; 46*4f1223e8SApple OSS Distributions T_ASSERT_POSIX_SUCCESS(getsockopt(fd, SYSPROTO_CONTROL, RVI_COMMAND_GET_INTERFACE, &data, &data_len), NULL); 47*4f1223e8SApple OSS Distributions 48*4f1223e8SApple OSS Distributions data_len = 5; 49*4f1223e8SApple OSS Distributions T_ASSERT_POSIX_SUCCESS(getsockopt(fd, SYSPROTO_CONTROL, RVI_COMMAND_GET_INTERFACE, &data, &data_len), NULL); 50*4f1223e8SApple OSS Distributions T_ASSERT_EQ(data_len, 5, "data_len == 5", NULL); 51*4f1223e8SApple OSS Distributions 52*4f1223e8SApple OSS Distributions data_len = 10; 53*4f1223e8SApple OSS Distributions T_ASSERT_POSIX_SUCCESS(getsockopt(fd, SYSPROTO_CONTROL, RVI_COMMAND_GET_INTERFACE, &data, &data_len), NULL); 54*4f1223e8SApple OSS Distributions T_ASSERT_EQ(data_len, 5, "data_len == 5", NULL); 55*4f1223e8SApple OSS Distributions 56*4f1223e8SApple OSS Distributions T_PASS("success"); 57*4f1223e8SApple OSS Distributions } 58